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SECOND APPEAL BRIEF 



I. REAL PARTY IN INTEREST 

International Business Machines Corporation is the real party in interest. 

II. RELATED APPEALS AND INTERFERENCES 

There are no related appeals or interferences. 

III. STATUS OF CLAIMS 

Claims 1, 3, 7-10, 12, 15, 19-20 and 25-37 are pending. Finally Rejected and Appealed. 
Claims 2, 4-6, 11, 13-14, 16-18 and 21-24 were previously canceled. 
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IV. STATUS OF AMENDMENTS 



No amendment was submitted after either Final Rejection. 

(In response to Appellants' (first) Appeal Brief, the Examiner sent a (second) Final 
Rejection on November 15, 2007, citing Applicants Background Information as additional prior 
art in combination with previously cited Goldfeder et al. Appellants choose to file this Second 
Appeal Brief instead of responding to the (second) Final Rejection.) 

V. SUMMARY OF CLAIMED SUBJECT MATTER 

Support for each claim element is indicated in plain brackets [ ]. 

Claims 1 and 25 recite a computer implemented method and computer program product 
for evaluating a security risk of an application. [Computer program implementing automated 
processes 200 and 300.] A determination is made whether the application is shared by different 
customers [Decision 308 of Figure 3. Page 8 lines 16-17. First program instructions of original 
claim 24.] A determination is made whether a third party can have unauthorized administrative 
authority to data maintained by the application. [Decisions 212 and 225 of Figure 2. Page 7 lines 
1-2 and 9-1 1 .] A determination is made whether a third party can have unauthorized read and/or 
write access to data maintained by the application. [Decision 217 and 224 of Figure 2. Pages 7 
lines 6-9.] A numerical value or weight is assigned to each of the foregoing determinations. 
[Steps 310, Step 226, Step 215, Step 222. Page 7 lines 6-15. Page 8 lines 17-18] Each of the 
nvimerical values or weights corresponds to a significance of the respective determination in 
evaluating the seciarity risk. [Page 2 lines 7-10 and 16-18. Second program instructions of 
original claim 21 ] The numerical values or weights are combined to evaluate the security risk. 
[Page 4 lines 6-10. Page 7 lines 14-15, Step 310 and Page 8 lines 17-18, Steps 204, 215, 222 and 
230, Page 7 lines 6-9 and 14-15]. 



Claim 32 recites a computer program product for evaluating a security risk of an 
application. [Computer program implementing automated processes 200 and 300.] First 
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program instructions determine whether a vulnerability in the application can be exploited by a 
person or program which has not been authenticated to the application or a system in which the 
application runs. [Decision 240 of Figure 2. Page 7 lines 15-18.] Second program instructions 
determine whether a third party can have unauthorized administrative authority to data 
maintained by the application. [Decisions 212 and 225 of Figure 2. Page 7 lines 1-2 and 9-11.] 
Third program instructions assign a numerical value or weight to each of the foregoing 
determinations. [Step 242 doubling a value assigned in step 214, 215, 222, 226 and/or 228. 
Page 7 lines 15-18. Step 226, Page 7 lines 9-11.] Each of the numerical values or weights 
correspond to a significance of the respective determination in evaluating the security risk. 
[Page 2 lines 7-10 and 17-18. Third determining step of original claim 22.] Fourth program 
instructions combine the numerical values or weights to evaluate the secvirity risk. [Page 4 lines 
6-10. Page 7 lines 14-15, Steps 240, 242 and 204, Steps 225, 226 and 230, Page 7 lines 6-9 and 
14-15]. 

VI. Grounds of Rejection 

Claims 1, 3, 7-10, 15, 19-20 and 25-37 were rejected under 35 USC 102(e) based on 
Goldfeder et al. (US Publication No. 20040230835) in view of Applicants' Background 
Information (from Applicants' patent application). 



VII. Argument 

A proper rejection under 35 USC 103 requires, at a minimum ,the Examiner to cite 
references that disclose or suggest all the elements of the claim. See In re. Rijckaert. 28 
USPQ2d 1955, 1956-57 (Fed. Cir. 1993). Otherwise, the Examiner has not made a prima facie 
case of obviousness. 



35 USC 103 Rejection of Claims 1, 3, 7-10, 12, 19-20, 30-31 and 36-37 
based on Goldfeder et al. and Applicants' Background Information 

Claim 1 recites a computer implemented method for evaluating a security risk of an 
application. A determination is made whether the application is shared by different customers. 
A determination is made whether a third party can have unauthorized administrative authority to 
data maintained by the application. A determination is made whether a third party can have 
unauthorized read and/or write access to data maintained by the application. A numerical value 
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or weight is assigned to each of the foregoing determinations. Each of the numerical values or 
weights corresponds to a significance of the respective determination in evaluating the security 
risk. The numerical values or weights are combined to evaluate the security risk. 

Goldfeder et al. recite "Most users understand that new programs can introduce viruses or 
other malicious code on their computers." Goldfeder et al. Paragraph 002 of the Background 
section. "The application 201 may contain a virus or it may constitute spy ware." Goldfeder et 
al. Paragraph 0018. Goldfeder et al. also disclose evaluation of a security risk of an application. 
"For instance a virus evaluator may be configured to examine each component of an application 
for the possibility that the application contains a virus." Goldfeder et al. Paragraph 0035. This is 
simply scanning the application itself for the presence of virus code. In contrast, the present 
invention as recited in claim 1 determines if an application is shared by different customers or 
vulnerable to some type of attack by external factors - a vulnerability where a third party can 
have unauthorized administrative authority to data maintained by said application or a third party 
can have unauthorized read and/or write access to data maintained by the application. The 
vulnerabilities recited in claim 1 are to external attacks not based on the presence of a virus in 
the application in contrast to Goldfeder et al. 

Goldfeder et al. also disclose: "For instance, a scoring engine may have determined that 
the application has requested sufficient permissions to read and modify files on the computer, 
and to transmit data over a network connection. Based on that information, together with 
perhaps other evidence, a privacy evaluator may have determined that the application is likely to 
share the user's information over the network." Goldfeder et al. Paragraph 0039. This is an 
analysis of an application to determine whether a virus has caused the apphcation itself to be 
malicious, i.e. likely to have accessed files and improperly transmitted file data over a network. 
Goldfeder et al. do not disclose or even suggest the step of determining if an application itself is 
shared (used) by different customers as recited in claim 1 . Moreover, Goldfeder et al. do not 
disclose or even suggest the step of determining whether a third party can have unauthorized 
administrative authority to data maintained by the application as recited in claim 1 . Moreover, 
Goldfeder et al. do not disclose either of these factors weighted in an algorithm to determine 



10/690,017 



4 



END920030107US1 



security risk. Moreover, Goldfeder et al. do not disclose either of these determinations in a 
computer implemented process for evaluating a security risk. 

Applicants' Background section of the present patent application states, 

"Every software application poses some security risks. The risks include unauthorized 
access, attack by hackers, computer viruses and worms, loss or corruption of data, loss of 
availability to data or the application and theft of proprietary or personal data. The 
vulnerabilities can be caused by programming errors, configuration problems or 
application design errors." Paragraph [0002]. 

Therefore, Applicants' Background Information does not fill the gap of Goldfeder et al., and the 
rejection of claim 1 under 35 USC 103 should be reversed. 

Claims 3, 7-10, 12, 19-20, 30-31 and 36-37 depend on claim 1, and therefore distinguish 
over Goldfeder et al. and Applicants' Background Information for the same reasons that claim 1 
distinguishes thereover. Therefore, the rejection of claims 3, 7-10, 12, 19-20, 30-31 and 36-37 
under 35 USC 103 should be reversed. 

35 USC 103 Rejection of Claims 25-28 
based on Goldfeder et al. and Applicants' Background Information 

Independent claim 25 distinguishes over Goldfeder et al. and Applicants Background 
Information for the same reasons that claim 1 distinguishes thereover. Therefore, the rejection of 
claim 25 lander 35 USC 103 should be reversed. Claims 26-28 depend on claim 25, and 
therefore the rejection of claims 26-28 under 35 USC 103 should be reversed for the same 
reasons. 
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35 use 103 Rejection of Claims 32-34 
based on Goldfeder et al. and Applicants' Background Information 



Claim 32 recites a computer program product for evaluating a security risk of an 
application. First program instructions determine whether a vulnerability in the application can 
be exploited by a person or program which has not been authenticated to the application or a 
system in which the application runs. Second program instructions determine whether a third 
party can have unauthorized administrative authority to data maintained by the application. 
Third program instructions assign a numerical value or weight to each of the foregoing 
determinations. Each of the numerical values or weights corresponds to a significance of the 
respective determination in evaluating the security risk. Fourth program instructions combine 
the numerical values or weights to evaluate the secvirity risk. 

As noted above, Goldfeder et al. recite "Most users understand that new programs can 
introduce viruses or other malicious code on their computers." Goldfeder et al. Paragraph 002 
of the Background section. "The application 201 may contain a virus or it may constitute spy 
ware." Goldfeder et al. Paragraph 0018. Goldfeder et al. also recite "Most users understand that 
new programs can introduce viruses or other malicious code on their computers." Goldfeder ct 
al. Paragraph 002 of the Background section. "The application 201 may contain a virus or it may 
constitute spy ware." Goldfeder et al. Paragraph 0018. Goldfeder et al. also disclose evaluation 
of a security risk of an application. "For instance a virus evaluator may be configured to 
examine each component of an application for the possibility that the application contains a 
virus." Goldfeder et al. Paragraph 0035. This is simply scanning the application itself for the 
presence of virus code. In contrast, the present invention as recited in claim 32 determines 
whether a third party can have unauthorized administrative authority to data maintained by 
the application. This is an external attack not based on the presence of a virus in the application 
in contrast to Goldfeder et al. Goldfeder et al. do not disclose or even suggest an assessment of 
seciarity based on whether there is unauthorized administrative authority. 
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Goldfeder et al. also disclose: "For instance, a scoring engine may have determined that 
the application has requested sufficient permissions to read and modify files on the computer, 
and to transmit data over a network connection. Based on that information, together with 
perhaps other evidence, a privacy evaluator may have determined that the application is likely to 
share the user's information over the network." Goldfeder et al. Paragraph 0039. This is an 
analysis of an application to determine whether a virus in the appUcation has caused the 
application to be malicious, i.e. likely to have accessed files and improperly transmitted file data 
over a network. In contrast, the present invention as recited in claim 32 determines if a third 
party can have unauthorized administrative authority to data maintained by the application. 
This is a much different test than in Goldfeder et al. Goldfeder et al. do not disclose or even 
suggest this program step of claim 32. Moreover, Goldfeder et al. do not disclose this 
determination in a computer implemented process for evaluating a security risk. 

Applicants' Background section of the present patent application states, 

"Every software application poses some security risks. The risks include unauthorized 
access, attack by hackers, computer viruses and worms, loss or corruption of data, loss of 
availability to data or the application and theft of proprietary or personal data. The 
vulnerabilities can be caused by programming errors, configuration problems or 
application design errors." Paragraph [0002]. 

Therefore, Applicants' Background Information does not fill the gap of Goldfeder et al., and the 
rejection of claim 32 under 35 USC 103 should be reversed. 

Claims 33-34 depend on claim 32 and therefore distinguish over Goldfeder et al. and 
Applicants' Backgrovind information for the same reasons that claim 32 distinguishes thereover. 
Therefore, the rejection of claims 33-34 under 35 USC 103 should be reversed. 
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35 use 103(a) rejection of Claims 15, 29 and 35 
Based on Goldfeder et al. 

Claim 15 depends on claim 1 and flirther recites the following. A determination is made 
whether there is a requirement for authentication of the application or a system in which the 
application runs to other systems before connection of the application or the system in which 
the application runs to said other systems. A numerical value or weight is assigned to this 

determination and used in evaluating the security risk. To support the rejection of claim 15, the 
Examiner cites Gold paragraph [0021], " the ADO 221 may include, in object form, the name of 
the application, the version of the application, what rights and permissions the constituent 
components of the application desire, privacy policy information, digital signature information, 
and the like." 

The Examiner asserts that "reading the digital signature of an application [is] equivalent 
to requiring it to authenticate." However, claim 15 specifies another weighted factor to evaluate 
a security risk, not a process of authentication itself Goldfeder et al. do not disclose or even 
suggest the additional weighted factor of claim 15, in combination with those of claim 1, in 
determining a security risk. Therefore, the rejection of claim 15 under 35 USC 103 should be 
reversed for the same reason that the rejection of claim 1 should be reversed and the additional 
reason explained above. 

Claim 29 depends on claim 25, and fiirther distinguishes over Goldfeder et al. and 
Applicants' Background Information as does claim 15. Therefore, the rejection of claim 29 
vinder 35 USC 103 should be reversed for the same reason that the rejection of claim 25 should 
be reversed and the additional reason explained above. 

Claim 35 depends on claim 32, and further distinguishes over Goldfeder et al. and 
Applicants' Background Information as does claim 15. Therefore, the rejection of claim 35 
under 35 USC 103 should be reversed for the same reason that the rejection of claim 32 should 
be reversed and the additional reason explained above. 
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Based on the foregoing, the rejection under 35 USC 103 of all pending claims should be 
reversed. 



Respectfully submitted, 



Dated: 04/15/08 
Telephone: 607-429-4368 
Fax No.: 607-429-4119 



/Arthur J. Samodovitz/ 
Arthur J. Samodovitz 
Reg. No. 31,297 
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VIII. CLAIMS APPENDIX: 



1 . A computer implemented method for evaluating a security risk of an application, said 

method comprising the steps of: 

determining whether the application is shared by different customers; 

determining whether a third party can have unauthorized administrative authority to data 
maintained by said application; 

determining whether a third party can have unauthorized read and/or write access to data 
maintained by said application; 

assigning a numerical value or weight to each of the foregoing determinations, each of 
said numerical values or weights corresponding to a significance of the respective determination 
in evaluating said security risk; and 

combining said nvimerical values or weights to evaluate said security risk. 

3. A computer implemented method as set forth in claim 1 flirther comprising the steps of: 

determining whether said application is subject to industry controls for security; and 

assigning a numerical value or weight to the determination whether said application is 
subject to industry controls for security, and using the numerical value or weight for the 
determination whether said application is subject to industry controls for security in evaluating 
said seciarity risk. 

7. A computer implemented method as set forth in claim 1 further comprising the steps of: 
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determining whether a third party can have unauthorized read and write access to said 
data; and 

assigning a numerical value or weight to the determination whether a third party can have 
unauthorized read and write access to said data, and using the numerical value or weight for the 
determination whether a third party can have unauthorized read and write access to said data in 
evaluating said security risk. 

8. A computer implemented method as set forth in claim 1 further comprising the steps of: 

determining whether a vulnerability in said application can be exploited by a person or 
program which has not been authenticated to said appUcation or a system in which said 
application runs; and 

assigning a numerical value or weight to the determination whether the vulnerability in 
said application can be exploited by a person or program which has not been authenticated to 
said application or a system in which said application runs and using the numerical value or 
weight to the determination whether the vulnerability in said application can be exploited by a 
program or person which has not been authenticated to said application or a system in which said 
application runs in evaluating said security risk. 

9. A computer implemented method as set forth in claim 1 flirther comprising the steps of: 

determining whether said data maintained by by said application is confidential; and 
wherein 

the numerical value or weight assigned to the determination whether a third party can 
have unauthorized write access to said data is based in part on whether said data is confidential. 
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10. 



A computer implemented method as set forth in claim 1 further comprising the steps of: 



determining whether a customer has direct use of said application; and 

assigning a numerical value or weight to the determination whether a customer has direct 
use of said application, and using the numerical value or weight for the determination whether a 
customer has direct use of said application in evaluating said security risk. 

12. A computer implemented method as set forth in claim 1 flirther comprising the steps of: 

determining whether there is an intrusion detection system and vulnerability scanning for 
said application; and 

assigning a numerical value or weight to the determination whether there is an intrusion 
detection system and vulnerability scanning for said application, and using the numerical value 
or weight for the determination whether there is an intrusion detection system and vulnerability 
scanning for said application in evaluating said security risk. 

15. A computer implemented method as set forth in claim 1 flirther comprising the steps of: 

determining whether there is a requirement for authentication of said application or a 

system in which said application runs to other systems before connection of said application or 
said system in which said application runs to said other systems; and 

assigning a numerical value or weight to the determination whether there is a requirement 
for authentication of said application or a system in which said application runs to other systems 
before connection of said application or said system in which said application runs to said other 
systems, and using the numerical value or weight for said requirement for authentication in 
evaluating said seciarity risk. 
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19. A computer implemented method as set forth in claim 1 further comprising the step of 
comparing the evaluation of said security risk to a cost savings provided by said application, and 
determining whether to certify said application for use based in part on said comparison. 

20. A computer implemented method as set forth in claim 1 further comprising the step of 
comparing the evaluation of said security risk to a revenue provided by said application, and 
determining whether to certify said application for use based in part on said comparison. 

25. A computer program product for evaluating a security risk of an application, said 
computer program product comprising: 

a computer readable media; 

first program instructions to determine whether the application is shared by different 
customers; 

second program instructions to determine whether a third party can have unauthorized 
administrative authority to data maintained by said application; 

third program instructions to determine whether a third party can have unauthorized read 
and/or write access to data maintained by said application; 

fovirth program instructions to assign a numerical value or weight to each of the 
foregoing determinations, each of said numerical values or weights corresponding to a 
significance of the respective determination in evaluating said security risk; and 

fifth program instructions to combine said numerical values or weights to evaluate said 

security risk; and wherein 



said first, second, third, fourth and fifth program instructions are recorded on said media. 
26. A computer program product as set forth in claim 25 wherein: 
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said third program instructions determine whether a third party can have unauthorized 
read and write access to said data; 

said fourth program instructions assign a numerical value or weight to the determination 
whether a third party can have unauthorized read and write access to said data; and 

said fifth program instructions also use the numerical value or weight for the 
determination whether a third party can have unauthorized read and write access to said data in 
evaluating said security risk. 

27. A computer program product as set forth in claim 25 fijrther comprising: 

sixth program instructions to determine whether a vulnerability in said application can be 
exploited by a person or program which has not been authenticated to said application or a 
system in which said application runs; and 

seventh program instructions to assign a numerical value or weight to the determination 
whether the vulnerability in said application can be exploited by a person or program which has 
not been authenticated to said application or a system in which said application runs; and 
wherein 

said fifth program instructions also use the numerical value or weight to the 
determination whether the vulnerability in said application can be exploited by a program or 
person which has not been authenticated to said application or a system in which said application 
runs to evaluate said security risk; and 

said sixth and seventh program instructions are recorded on said media in functional 

form. 



28. A computer program product as set forth in claim 25 further comprising: 
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sixth program instructions to determine whether a customer has direct use of said 
application; and 

seventh program instructions to assign a numerical value or weight to the determination 
whether a customer has direct use of said application; and wherein 

said fifth program instructions also use the numerical value or weight for the 
determination whether a customer has direct use of said application in evaluating said secvirity 
risk; and 

said sixth and seventh program instructions are recorded on said media. 

29. A computer program product as set forth in claim 25 fiirther comprising: 

sixth program instructions to determine whether there is a requirement for authentication 
of said application or a system in which said application runs to other systems before connection 
of said application or said system in which said application runs to said other systems; and 

fifth program instructions to assign a numerical value or weight to the determination 
whether there is said requirement for authentication; and wherein 

said fifth program instructions also use the numerical value or weight for said 
requirement for authentication in evaluating said security risk; and 

said sixth and seventh program instructions are recorded on said media. 
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30. A computer program product as set forth in claim 25 further comprising: 

sixth program instructions to compare the evaluation of said security risk to a cost 
savings provided by said application, and determine w^hether to certify said application for use 
based in part on said comparison; and wherein 

said sixth program instructions are recorded on said media. 

31. A computer program product as set forth in claim 25 further comprising: 

sixth program instructions to compare the evaluation of said security risk to a revenue 
provided by said application, and determine whether to certify said application for use based in 
part on said comparison; and wherein 

said sixth program instructions are recorded on said media. 
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32. A computer program product for evaluating a security risk of an application, said 
computer program product comprising: 

a computer readable media; 

first program instructions to determine whether a vubierability in said application can be 
exploited by a person or program which has not been authenticated to said application or a 
system in which said application runs; 

second program instructions to determine whether a third party can have unauthorized 
administrative authority to data maintained by said application; 

third program instructions to assign a numerical value or weight to each of the foregoing 
determinations, each of said numerical values or weights corresponding to a significance of the 
respective determination in evaluating said security risk; and 

fourth program instructions to combine said numerical values or weights to evaluate said 
security risk; and wherein 

said first, second, third and fourth program instructions are recorded on said media. 
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33. 



A computer program product as set forth in claim 32 further comprising: 



fifth program instructions to determine whether a third party can have unauthorized read 
and/or write access to data maintained by said application; and 

sixth program instructions to assign a numerical value or weight to the determination 
whether a third party can have unauthorized read and/or write access to data maintained by said 
application; and wherein 

said fourth program instructions also use Ihc numerical value or weight to the 
determination whether a third party can have unauthorized read and/or write access to data 
maintained by said application to evaluate said security risk; and 

said fifth and sixth program instructions are recorded on said media in functional form. 

34. A computer program product as set forth in claim 32 further comprising: 

fifth program instructions to determine whether a customer has direct use of said 
application; and 

sixth program instructions to assign a numerical value or weight to the determination 
whether a customer has direct use of said application; and wherein 

said fovirth program instructions also use the numerical value or weight for the 
determination whether a customer has direct use of said application in evaluating said security 
risk; and 

said fifth and sixth program instructions are recorded on said media. 
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35. A computer program product as set forth in claim 32 further comprising: 

fifth program instructions to determine whether there is a requirement for authentication 
of said application or a system in which said application runs to other systems before connection 
of said application or said system in which said application runs to said other systems; and 

sixth program instructions to assign a numerical value or weight to the determination 
whether there is said requirement for authentication of said application or said system; and 
wherein 

said fourth program instructions also use the numerical value or weight for said 
requirement for authentication of said application or said system in evaluating said security risk; 
and 

said fifth and sixth program instructions are recorded on said media. 

36. A computer program product as set forth in claim 32 fijrther comprising: 

fifth program instructions to compare the evaluation of said security risk to a cost savings 
provided by said application, and determine whether to certify said application for use based in 
part on said comparison; and wherein 

said fifth program instructions are recorded on said media. 
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37. A computer program product as set forth in claim 32 further comprising: 

fifth program instructions to compare the evaluation of said security risk to a revenue 
provided by said application, and determine w^hether to certify said application for use based in 
part on said comparison; and wherein 

said fifth program instructions are recorded on said media. 
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IX. Evidence Appendix 

There is no evidence entered or relied upon in the appeal. 

X. Related Proceedings Appendix 

There are no related proceedings and therefore no copies of decisions to provide. 
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